Active Directory Data Administration

8/16/2019 Active Directory Data Administration

1/18

Active Directory DataAdministrationUser Creation & Maintenance


2/18

ContentsCreating a User Account with AD Users and Computers.............................................3

To create a new user account..................................................................................... 3User Logon Name (user principal name).................................................................

!re"#indows $%%% logon name (samaccountname)................................................

Account !assword....................................................................................................&

!assword never e'pires........................................................................................

User !roperties or Attri utes......................................................................................

*eneral Ta ............................................................................................................. +

Display Name....................................................................................................... +

Description........................................................................................................... +

,-ce....................................................................................................................

Telephone Num er............................................................................................... /

0"mail................................................................................................................... /

#e !age............................................................................................................. /

Address Ta ........................................................................................................... 1%

Account Ta ........................................................................................................... 1%

!ro2le 4em er ,5 Ta s...................................................................................... 11

Telephone Ta ........................................................................................................ 11

,rgani6ation Ta .................................................................................................... 1$

Company............................................................................................................ 1$

*roupCompany..................................................................................................1$

0mployee7D........................................................................................................ 1

Terminal 8ervices !ro2le Ta ................................................................................. 1

0nvironment Ta .................................................................................................... 1

8essions 9emote Control Ta ............................................................................. 1C,4:; 8ecurity; !u lished Certi2cates; !assword 9eplication; Dial"7n; ,


3/18


4/18

The =irst and Last name 2elds should correspond to the user?s o-cial usinessidentity . Only the ASCII Standard Character set can e used . Characterscontaining accents cannot e used. The names used here must e consistent through the e"mail address and logon names. Note that the =ull name isautomatically 2lled in a5ter you enter the =irst and Last names. The 7nitial 2eld

should only e 2lled in i5 the user?s email address includes the initial. 75 the user?sinitial 2eld is 2lled in the email address should e2rstname.middleinitial.lastnameEcompany.com ; 5or e'ample F

ennedyEwppgts.com.

User !ogon Name "user principal name# The User !rincipal Name or U!N is the logon name that egan to e used withActive Directory and #indows $%%%. =or compati ility sa>e the old NT style logonis still supported; ut this logon name is o5ten more intuitive 5or the user. This is

ecause the 5ormat o5 the U!N is very similar to the e"mail address. Gecause o5 thiswe are ma>ing it a re@uirement to set the User logon name to the user?s e"mailaddress ; which should e B2rstname.lastname . =rom the dropdown list that saysBEad.insidemedia.net ; select the user?s e"mail domain; such as Bgroupm.com .

This is criticalH 75 the user?s U!N does not match the email address then theirauthentication to the email service will e a pro lem. The user?s domain namemust match the company they are assigned to. This is used 5or determining accessto certain company resources. The user principal name must e uni@ue in ActiveDirectory; so 5or e'ample you can have one account with the U!N o5

Iohn.8mithEgroupm.com and another with Iohn.8mithEma'us.com ; ut you cannothave $ accounts with a U!N o5 Iohn.8mithEma'us.com.

The 0'change ,nline 8ervice uses this 2eld 5or identi5ying and authenticating theuser.

$re%&indows 2''' logon name "samaccountname# This is the old NT style logon name; it is o5ten used with the domain name; 5ore'ample ADJIim.Katoe. This 2eld is used y many legacy applications. *lo al 7Tuses it in many in5rastructure processes such as mail migration. Adhering to thesestandards ensures that you will minimi6e pro lems 5or your users.

The user logon name (pre"#indows $%%%) should e

=irstname.Lastname

=irst (given) name; separated y a period; 5ollowed y the Last (sur)name atoe; Mincent.5usco; sutthisin.sirachotes (8utthisin s surname is 8irachotesophol

ut this e'ceeds the $% character limit)

Con icts will e handled y using a uni@ue num er as the last or $%th character. atoe1; Mincent.5usco1; sutthisin.sirachote1 (the $%th character is changed to auni@ue num er). Alternatively a middle initial can e used.

mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]


5/18

Compound Names75 the user has multiple 2rst names or multiple last names; and they are part o5 theemail address; then they should e included in the appropriate 2eld. =or e'ample;Gilly Go Thornton would have BGilly Go in the 2rstname 2eld (notice the space).0rnest van den Oaag would have B0rnest in the 2rstname 2eld; and Bvan den

Oaag in the lastname 2eld. This is very important. =or the 0"mail Address; User!rincipal Name; and pre"windows $%%% logon name a space is not allowed 5orcompound names. 9emove the space in this situation. 8o Gilly Go Thornton?s0mail address would e illy o .thorntonEmedia.com ; his user principal namewould e the same; the pre"windows $%%% logon name would e illy o .thornton.

Note( All user accounts must correspond to an actual person. )enericaccounts are not allowed* test accounts must e strictly documented.Ser+ice accounts are a strictly controlled and documented e,ception in

certain cases. Any accounts that do not con-orm to these rules may edeleted on the spot.

Clic> Ne,t to proceed.

Account $assword Type a password in oth the $assword and Con rm password o'es and clic>Ne,t . 7t must meet !assword Comple'ity mentioned a ove. N0M09 use !asswordnever e'pires H This is against our security and compliance policies and we do runaudits 5or this condition.

Now you can input a password 5or the new user. 7t must meet the passwordcomple'ity re@uirements set up 5or the domain.

The !assword must e at least characters long and meet 3 out o5 the 5ollowing re@uirements

• Uppercase letter• Lowercase letter• Num er• 8pecial characters

mailto:[email protected]:[email protected]


6/18

User must change password at ne't logon should remain chec>ed.

User cannot changed password should not e chec>ed

$assword ne+er e,pires This should N/0/ e chec>ed. This will ag the account on 8o' audits. The entiredomain is chec>ed y automated script every month. Ge5ore audits the entiredomain is chec>ed y 3 rd party service. 75 you set a password to not e'pire; and itcauses a pro lem on that audit; our Puest ChangeAuditor product records who too>what action in Active Directory and you will have to e'plain to the auditor and to

usiness management why you did not 5ollow the documented standards andendangered the company.

Account is disa led should not e chec>ed 5or active accounts as this will preventthe user 5rom logging in.

Clic> Ne't when these 2elds are complete.


7/18

. Accept the con2rmation in the ne't dialog o' y clic>ing 3inish .

User $roperties or Attri utes Qou have now created an account. Gut additional in5ormation a out this user isre@uired to 5unction properly

4. 8elect Users in the le5t pane o5 the AD U C windows; right"clic> the user you $roperties .

5. Add more in5ormation a out the user in the $roperties dialog o' on the)eneral ta as shown in =igure & elow; and clic> O6 . Qou are provided with thisselection o5 optional entries. Clic> each ta you want to go to and enter theappropriate in5o.


8/18

)eneral Ta

Display Name

,n the *eneral ta you see many o5 the 2elds you ing thecontents o5 the 3irst name 2eld adding a space and then adding the !ast name 2eld. 75 there are any changes to the 2rst or last names later; ma>e sure youchange the Display Name as well. Iust li>e the =irst and Last Name 2elds; only theASCII Standard Character set can e used . Characters containing accentscannot e used.

Description This 2eld is 5ree to e updated as you li>e. Oowever it is used 5or essential systemprocesses as well. 8ecureClient M!N *roups are automatically created y addingany user that has BR8ecureClientR in this 2eld. #e also have an automated processthat cleans up AD as shown elow.

75 any user account that has not had its password changed within 7' days (3/ days past ourre@uirement) it will e disa led.75 any computer account has not contacted the domain in over 12' days it will e disa led.75 any user account that has not had its password changed within 12' days it will e deleted.75 any computer account has not contacted the domain in over 14' days it will e deleted.


9/18

/,ceptions7t is possi le to circumvent this process. Oowever i5 you choose to circumvent this processplease understand you may e re@uired to e'plain or provide documentation 5or why you arecircumventing a security process that your company is depending on 5or regulatorypurposes. Circumventing the process would e understanda le i5 the user is on e'tendedleave 5or 4aternity; sa atical; etc.

Oere is how you prevent the process 5rom disa ling or deleting a user or computer account4odi5y the description 2eld o5 the user or computer account in AD to contain this term0SACTLQ " Rnodisa leR ; additionally please include your reason 5or not disa ling or deletingthe user.

Note(,nce a computer account is disa led; users on that computer can no longer log into AD; andthe computer will no longer process *!, s. Gut since this computer was not contacted AD;this should not matter.Any account disa led y this process will have its description updated to denote it wasdisa led y the automatic process.

O8ce The ,-ce 2eld is important 5or the ,-ce Directory and our 8o5tware Licensingprocedures. ,nly speci2c values should e entered here and no typos are allowed.

Those values are visi le in AD U C under the ,-ces ,U. This value must e addedy Local 7T to the user account or the so5tware reporting 5unctions will 5ail and the

user will not show up in the o-ce directory.


10/18

Telephone Num er The telephone num er 2eld is Crucial 5or *roup4?s *lo al Directory. 75 it has thewrong value the user?s phone system will not wor> properlyH The value in this 2eldmust e the user?s direct o-ce telephone num er. The num er 5ormat used y this2eld is the 0.1 telephone num er standard. This means it must egin with the :sign; 5ollowed y the 1;$ or 3 digit country code; 5ollowed y the phone num er.Any international phone should e a le to dial this num er. 0ven i5 you are not onthe Cisco 7!T solution it is essential 5or your num er to 5ollow this 5ormat so that youcan e dialed y users which are. 7t will also e used y other systems such as8hare!oint; Iive and Uni2ed Communications. The num er must not contain spaces;

rac>ets or hyphens. A valid num er would e 9 2':757; '' .: $% +/ /"3 %% or : (%) $% +/ / 3 %% are not valid values.

/%mail This 2eld is also important. This 4U8T match the user?s current e"mail address andU!N. 7t will e used y many applications and 0'change. #hen the U!N or 0"mail ischanged; this 2eld must e updated as well.

http://www.itu.int/rec/T-REC-E.164/enhttp://www.itu.int/rec/T-REC-E.164/en


11/18

&e $ageLeave this 2eld alone; 8hare!oint will use it 5or my8ites.


12/18


13/18


14/18

Organi>ation Ta The Department and Company attri utes should e managed y the LocalAdministrator. The company value is critical to security and proper operations. 75this is improperly set; you will e providing this user access to the wrong company?sresourcesH

Company The proper values 5or this 2eld are saved in this 8harepoint List. Any other valuewill result in pro lems with the mail and application systems.

https://inside.wppgts.com/Design/DirectoryServices/Lists/AD%20DS%20Approved%20Company%20Values/AllItems.aspxhttps://inside.wppgts.com/Design/DirectoryServices/Lists/AD%20DS%20Approved%20Company%20Values/AllItems.aspx


15/18

)roupCompany75 this user is a mem er o5 a smaller company that is not on the BApprovedCompany Malues 8harepoint List a ove; they you must determine whether thatuser?s company is closely associated with one o5 the rands in the BApprovedCompany Malues list. 75 they are close enough so that this su company should e

allowed access to all the roadcast emails; the intranet and even 2le security 5or theentire top level company then you should o tain approval 5rom local usinessmanagement and the glo al communication director o5 that rand. ,nce thatapproval is o tained; record it in this list. The BApproved *roup Company Malueslist can e used 5or su rands; a-liates and IM?s a5ter 5ollowing this process. Gutthese values cannot go in the Company attri ute. They can e used in thegroupmcompany attri ute.

Un5ortunately the groupmcompany attri ute is not availa le via the Active DirectoryUsers and Computers tool usually. 7t is not on the organi6ation ta . To access it inADUC; you must turn on advanced 5eatures; y clic>ing on the view menu and thenselecting advanced 5eatures.

This will add additional ta s to the properties view o5 the user o


16/18

Under the attri ute editor ta ; scroll down until you can 2nd the *roup4companyattri ute.

8elect it and clic> 0dit


17/18

At the edit screen enter the Approved *roup Company Malue.

Do not use this 5eature on other values. Qou ris> destroying the user account.

75 you are con5used or the user is a mem er o5 an a-liate or IM; contact the *lo al7n5rastructure and ,perations Team.

/mployeeIDCertain Countries are using the 0mployee7D 5or use with applications. To do this;please register this application with *lo al 7T so we can avoid con icts and ensure


18/18

per5ormance. =or e'ample; the U8 uses this with Concur 5or authentication; *T8uses it 5or Timesheets; and 9ussia is using it as well. This 2eld is hidden and has nointer5ace 5or editing. 8, you can use the attri ute editor as shown a ove or wehave uilt a small applet to manage this 5or you on a user y user asis. Contact*lo al 7T to re@uest it.

#e do have a standard 5or using this 2eld. The 0mployee7D should e the O9num er assigned to the user. Do N,T use this 2eld i5 the O9 num er cannot epu licly >nown; ecause this value will e availa le to anyone with access to AD.Oowever ecause we typically have diVerent O9 systems in each country; we would5ace con icts eventually. To avoid this we reserve the 1 st two characters 5or thecountry. #e use the 78,"31 "1 codes 5or the country. 7n the instance where thereare more than 1 O9 system in a country; the $ nd O9 system would use a % in thethird character; the third would use a 1; and so on. 8, my employee7D 2eld should

e U8 5or United 8tates then my O9 num er F 5or e'ample U8%%%%1.

Terminal Ser+ices $ro le Ta This ta can e edited at the discretion o5 local 7T; ut should e used rarely.

/n+ironment Ta This ta can e edited at the discretion o5 local 7T; ut in general should not eused.

Sessions < emote Control Ta These ta s can e edited at the discretion o5 local 7T; ut in general it is etter tomanage this on the Terminal 8erver where the settings can e uni5ormly applied toall users.

CO=9* Security* $u lished Certi cates* $assword eplication*Dial%In* O ?ect < Attri ute /ditor Ta

These ta s should not e ad

Active Directory Data Administration

Documents

Transcript of Active Directory Data Administration